In recent years, the classic IT security protocol of ‘username and password’ has become increasingly susceptible to cyberattacks. According to recent research, account takeovers are becoming ever more common, with almost a third of US adults having lost control of a digital account in 2023. Of those, a quarter were business accounts or accounts used for both personal and business use. Social media accounts were the most frequently breached, with banking and email apps in second and third place. And 70% of breached accounts were ‘protected’ by a password that the owner had re-used elsewhere.
For organizations of all sizes, this is a serious wake-up call. Not only are business accounts themselves at risk of a direct takeover, but as the lines between personal and business IT become increasingly blurred, company systems can easily come under threat as a result of personal accounts being used on business devices, or personal devices being used for business purposes. Likewise, if you’re not disciplined about password reuse, something as simple as sharing your streaming password with a few friends can end up costing your company both financially and reputationally – if they’re not careful with it and it falls into the wrong hands, it won’t take long for hackers to exploit that weakness.
In short, we can no longer rely on passwords alone to maintain good cybersecurity hygiene in organizations. Bad actors are skilled at using a variety of methods to decode passwords and breach systems. As a result, passwords must be supplemented with additional layers of security. Let’s explore some of the key strategies organizations can deploy to improve their defense against password stealing exploits, and ensure their systems remain secure in an increasingly challenging landscape.
Mobile device management and the importance of single sign-on
First up, a key place to start is developing a strong set of mobile device management policies. These will help bolster the security of apps and the hardware they sit on, governing how they interlink and ensuring there’s as little chance of a breach as possible.
As part of strong mobile device management, single sign-on can be a helpful way to balance security with usability. It allows users to log into multiple different apps with one set of credentials – a common example would be using a single Google or Microsoft login to access email, word processing, spreadsheet, and slide creation apps. The benefit of a robust single sign-on system is that businesses can mandate a 90-day password change policy, and the system will effectively change all of your passwords across all your apps, keeping you fresh and up to date. Even apps that aren’t used frequently get a regular password reset.
Single sign-on can also be augmented with two-factor authentication (2FA) or multi-factor authentication (MFA). When you log in, you’re required to enter a one-time password that’s delivered to your work phone number or email address, decreasing the chance for hackers to take over your account purely with access to your password. MFA also notifies the user if someone is attempting to sign-in, so if it’s not the user making the request, they know someone could be trying to break in. It’s also possible to bolster passwords by requiring them to be used in tandem with a particular device, or the correct fingerprint.
Biometrics, fingerprints, and innovations in identity security
Powerful innovations in biometric technologies and AI-powered smart security can also augment passwords and support users in taking extra measures that protect their online identity. For example, face, eye, and gaze-sensing can be used to intuitively lock and unlock screens when users look away. AI can also help instantly identify any unusual activity and alert consumers of potential breaches. For example, with laptops that run on Windows 11 with integrated Windows Hello, it’s possible to unlock the computer with biometrics such as facial recognition using IR-enabled webcam, in line with common usage on smartphones.
Managing an attack
Containerization is also a key method for protecting hardware that’s being used for both personal and business needs. It enables businesses to partition out the storage on employee devices, virtually apportioning the drive to achieve separate storage for corporate data and personal data within the same device. As a result, if something is compromised through personal use of an insecure app, for example, containerization will limit the risk to personal apps, protecting company data.
Likewise, if companies have good mobile device management software in place, when the employee comes to leave, any work-related files or apps can be remotely wiped from the device. This reduces the risk of sensitive data being accidentally (or maliciously) leaked after their departure.
Training employees to hold the line
Which leads on to a key point: all the technology in the world won’t save companies from breaches if their employees aren’t well-trained in good security practice. Improving security comes down to employee awareness and training: doing the grunt work of assigning a user a default password and training them on why regularly updating it is important.
One way to improve outcomes of employee training is to use gamification. This will encourage participation incentivise all employees to care and contribute to a safe cyber security culture. A basic example of gamification is to encourage participation through rewards such as winning tickets to major events, or online shopping vouchers for those completing the required training.
Organizations can run simulated phishing exercises, sending out fake phishing emails to see if employees fall for them. If staff don't just evade the attack but spot it and report it correctly, they’re rewarded similarly – and as a result, good security practice becomes incentivized beyond the sense that it serves the greater security good. It might sound a little mercenary, but it’s ultimately a lot cheaper to recognize good security practice than to fix bad security practice.
Why passwords will ultimately become obsolete
It’s quite possible that the humble password’s days may be numbered. In many breaches, passwords are the point of failure. While brute force attacks are rarely used today, hackers have evolved social engineering attacks to worm information out of people – getting them on the phone and requesting information they’re often happy to give out, and then guessing their password. Biometrics are the most promising alternative – both in terms of fingerprint or facial scans, and behavioral biometrics, including analysis of how you type, move your mouse, and you interact with your device.
With preventative measures like these in place, businesses and employees alike can be empowered to practice safe security and better protect their online identity and presence.
We've featured the best business VPN.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro